You misrepresent my position. The attack you describe isn't the one being discussed here. Unless I've completely misunderstood, the algorithm itself was broken here.

As to the attack you reference. It's active and touchy to pull off. It doesn't particularly concern me but of course would be better if it weren't possible. To that end I'm not clear why there's a double transmission with two distinct and independently usable codes? What am I missing?

I thought the attacker jammed, recorded two user attempts (ie two distinct button clicks, neither being permitted through initially), then rebroadcast the first attempt while retaining the second for later.

> The rx enforces the sequence goes up.

Except that there's apparently a rolling window to support recovering from desync. Which to me sounds more complicated and error prone than a simple nonce that can only ever go up.

Really though the manufacturers ought to (IMO) accept the extra dollar or five on the BoM that it would take to get proper two way communication.